Re: Theo chiming in on strlcpy

On Sat, Dec 21, 2013 at 07:38:23PM +0000, David Holland wrote:
> On Sat, Dec 21, 2013 at 08:22:05PM +0100, Marc Espie wrote:
> > Yeah, you're probably the 1% that uses strcpy correctly the first time.
> >
> > But think about it. Less gifted developers are going to use it
> incorrectly.
> > Or go write impossible-to-audit messes.
> >
> > I prefer having my code go 0.5% less fast, but not to have to spend hours
> > auditing wacky wacky wacky string stuff.
>
> Not only have I thought about it, I've been patching insecure code as
> long as just about anyone. I just don't happen to agree with your
> dogma.
Well, aren't you getting tired of patching the same mistakes again and again ?
I mostly got my opinion (what you called "dogma") when I started realizing
I didn't have enough time to fix it all. And when you start delegating, or
teaching, you start realizing what is "obvious" to you is very complicated
for a lot of people (because they don't have your experience).
Face it, the numbers are against us. We're going to be overrun by
zombies^Wjava developers^Wbeginners...
there are too many misused strcpy out there, and not enough good developers.
You can't enlighten them all. Giving them better and simpler tools is more
cost-effective.